I just read this article and I pretty much got it, although there is still something I’m not quite sure about… in the Solution part, the writer talks about a series of tokens.
Did he mean a unique ID for a username that never changes? would the normal user id stored in the database be fine for this use? That ‘normal’ user id will most likely be known to the user, so I’m not sure if this is supposed to be kept secure or not…
And, what is a good way to generate a token ‘from a large space’ as recommended in the article?
I just read this article and I pretty much got it, although there is
Share
One naive way to generate the series of tokens is to iterate a hash:
T_0: username + hash(username)
T_1: username + hash(T_0)
T_2: username + hash(T_1)
…
The downside to this approach is a stolen cookie gives away future access. A better way to generate the series of tokens is to use a CTR-style approach:
R = rand()
T_0: username + hash(R)
T_1: username + hash(R+1)
T_2: username + hash(R+2)
…
If the hash is strong enough (SHA-256, for example), and the random number really is selected randomly from a large enough pool (reading a dozen bytes from
/dev/urandomfor an easy source..) then knowledge of any one cookie couldn’t be used to figure out future cookies — without going through the web service, that is.